Congress has never succeeded in passing
comprehensive privacy protections for health information, despite the increasing
frequency of interstate transactions in health care. With the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), legislators tried to
goad themselves into action by setting a deadline. If Congress cannot succeed
in passing privacy legislation by August 21, 1999, HIPAA directs the Secretary
of Health and Human Services to issue regulations. At the moment, prospects
for legislation appear dim.

Congress has plenty of privacy bills to
consider, but the devil is in the details. In the Senate, Sen. James Jeffords
(R-Vt.) has tried without success to move a bill melding elements of proposals
made by Jeffords, Sen. Robert Bennett (R-Utah), and Sen. Patrick Leahy
(D-Vt.). The House is mired in debate over H.R. 2470, the "Medical Information
Protection and Research Enhancement Act," introduced by Rep. Jim Greenwood
(R-Pa.). The key issues that divide legislators include:

allowing health plans to deny coverage to
people who refuse to authorize the use of their health information for
the purpose of "health care operations" (a broadly defined term that includes
things like quality assessment and improvement, utilization monitoring,
and rate-setting), as well as for the purposes of medical treatment and
payment;

granting parents access to all aspects of
their children’s medical records;

giving individuals a right to sue over violations;
and

preempting state laws that may contain stronger
privacy protections.

The American Medical Association wants a separate
authorization for the use of individually-identifiable health information
for health care operations, and it opposes federal preemption of state
laws. Many consumer groups and privacy advocates agree. (The AMA has also
endorsed more stringent confidentiality protections when individually-identifiable
health information is used in research.) On the other side, insurance companies,
health plans, and employer groups are lobbying hard against introduction
of a separate consent requirement for health care operations, claiming
that it would be the death knell for quality improvement initiatives and
disease management programs. For those seeking objective information, a
number of groups have recently released reports on privacy issues, including
"Best Principles for Health Privacy" from the Health Privacy Working Group,
on July 14, 1999, and "The State of Health Privacy: An Uneven Terrain"
from Georgetown University’s Health Privacy Project, on July 20, 1999.
Both reports are available via the Health Privacy Project’s website at
www.healthprivacy.org.

Meanwhile, something like panic has greeted
a privacy-related amendment to banking reform legislation (H.R. 10). Some
fear the amendment will lead to sharing of medical information among insurance
companies and banks and other entities as they merge to form financial
conglomerates. Under language initially proposed by Rep. Greg Ganske (R-Iowa),
individuals would have the option of refusing authorization for information
sharing, but this choice could then be used to deny services. Privacy advocates
also point to the unclear boundaries of some of the exceptions to the authorization
requirement, and the potential to preempt state laws—and action by the
Secretary of Health and Human Services. On July 15, Rep. Ganske indicated
that he would be willing to address concerns about the effect of his amendment
on the Secretary’s authority to issue regulations.

In the event (or nonevent) of a Congressional
failure to act on privacy, the Secretary of Health and Human Services has
until February 2000 to issue regulations. The Secretary has already published
recommendations, available at http://aspe.os.dhhs.gov/admnsimp/pvcrec.htm.
Of course, members of Congress could always let themselves off the hook
by extending or eliminating the August deadline.